Permission Denied on Domain Controller For Internal LB #6590
Description
ISSUE TYPE
- Bug Report
COMPONENT NAME
API, UI
CLOUDSTACK VERSION
ACS 4.15.2.0
CONFIGURATION
Advanced Network with VPC
OS / ENVIRONMENT
Hypervisor KVM
SUMMARY
When using a domain controller user in ACS to deploy CreateLoadBalancer I am receiving a “531 Unable to use network with id= 498611f9-xxx-4030-aa10-e7d7ad062d1a, permission denied”
LOGS
Apilog
2022-07-27 11:34:57,218 INFO [a.c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) (userId=4 accountId=4 sessionId=null) 192.168.xxx.xxx -- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxRo&command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-cd93-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw 531 Unable to use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied
Management-server
2022-07-27 11:34:57,198 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6) (logid:b8e0600b) ===START=== 192.168.xx.xx-- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxR &command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-xxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
2022-07-27 11:34:57,201 DEBUG [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc) (logid:b8e0600b) CIDRs from which account 'Acct[c5aac4a3-xxxx-43a9-8117-eb2fa34fdca5-cocentrodemo1control]' is allowed to perform API calls: 0.0.0.0/0,::/0
2022-07-27 11:34:57,205 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay as the caller is not authorized to pass it in
2022-07-27 11:34:57,207 DEBUG [c.c.u.AccountManagerImpl] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Access to Acct[39efe918-df79-45ec-b8f0-302c6d44dfa9-PrjAcct-624349294c0efe30d9ec0fd6-3] granted to Acct[026a2cc9-xxxx-447a-9bf3-6a749fae743a-demo1control] by DomainChecker
2022-07-27 11:34:57,209 DEBUG [o.a.c.a.BaseCmd] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) Ignoring paremeter fordisplay as the caller is not authorized to pass it in
2022-07-27 11:34:57,217 INFO [c.c.a.ApiServer] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) PermissionDenied: Unable to use network with id= 498611f9-xxxx-4030-aa10-e7d7ad062d1a, permission denied on objs: []
2022-07-27 11:34:57,218 DEBUG [c.c.a.ApiServlet] (qtp2109798150-1192:ctx-de4123f6 ctx-f93ec0cc ctx-8c0287a4) (logid:b8e0600b) ===END=== 192.168. === 192.168.xx.xx -- GET algorithm=source&apiKey=GoHebItTOdSc4zf5NcwxDxRo5v1FeY&command=createLoadBalancer&description=lb01&instanceport=8080&name=lb01&networkid=498611f9-xxx-4030-aa10-e7d7ad062d1a&response=json&scheme=Internal&sourceipaddressnetworkid=498611f9-xxxx-4030-aa10-e7d7ad062d1a&sourceport=8080&signature=gB%2BseI8Ku7ZCN9drw3Lxqdo%2Bj8k%3D
2022-07-27 11:34:57,566 DEBUG [c.c.a.m.AgentManagerImpl] (AgentManager-Handler-12:null) (logid:) SeqA 47-30512: Processing Seq 47-30512: { Cmd , MgmtId: -1, via: 47, Ver: v1, Flags: 11, [{"com.cloud.agent.api.ConsoleProxyLoadReportCommand":{"_proxyVmId":"7557","_loadInfo":"{
"connections": []
STEPS TO REPRODUCE
Using Domain Controller User/API go to VPC-> Network (tier) -> Create Internal LB
EXPECTED RESULTS
Internal LB created for the Tier in the VPC